A security analyst is reviewing the security posture of a manufacturing plant's Industrial Control System (ICS). The system is considered highly critical and is physically isolated from the company's main IT network. Which of the following represents the MOST appropriate security principle to apply when establishing a baseline for this ICS?
The security baseline can be less stringent than corporate IT systems because the air gap effectively mitigates all major threats.
A stringent, specialized baseline is required because critical systems must be protected from a wide range of threats, including those that do not originate from the network.
The primary security control is the air gap, so baseline configurations should focus exclusively on preventing network bridging.
The vendor is solely responsible for providing security patches, so a custom baseline is unnecessary.
The correct principle is that ICS environments require stringent security baselines tailored to their unique operational needs, regardless of network isolation. Even physically isolated or 'air-gapped' systems are vulnerable to threats from removable media (like USB drives), insider threats, and supply chain attacks. Therefore, assuming isolation negates the need for strong security is a dangerous misconception. While an ICS baseline may differ from a standard IT baseline in its priorities (e.g., emphasizing availability and safety over confidentiality) and implementation details (e.g., patch management schedules), it must be comprehensive and robust. Relying on the vendor for all security or applying a less stringent baseline are both inadequate security practices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an ICS and why is it considered critical?
Open an interactive chat with Bash
What does 'air-gapped' mean, and does it guarantee security?
Open an interactive chat with Bash
Why is relying solely on the vendor for security patches insufficient?